Systems, methods and apparatus for payment terminal management

ABSTRACT

Systems, methods and apparatus are disclosed for remote management of payment terminals. Public keys, or other security elements can be received from a certification authority and distributed to the payment terminals. A merchant, or other entity affiliated with the payment terminals, can monitor the status of the software and security elements of the payment terminals.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims the benefit of U.S. provisional patentapplication Ser. No. 61/790,693, filed on Mar. 15, 2013, entitled“SYSTEMS, METHODS AND APPARATUS FOR PAYMENT TERMINAL MANAGEMENT,” thedisclosure of which is hereby incorporated by reference herein in itsentirety

BACKGROUND

Payment terminals enable customers to carry out a variety of financialtransactions. Common types of payment terminals used by consumersinclude automated teller machines and point of sale (POS) devices.Examples of transactions that are sometimes carried out with paymentterminals include the dispensing of cash, the making of deposits, thetransfer of funds between accounts, the payment of bills, the cashing ofchecks, the purchase of money orders, the purchase of stamps, thepurchase of tickets, the. purchase of phone cards and account balanceinquiries. Through an attended or unattended payment terminal, acustomer can use a payment card to make purchases for goods or services.The types of transactions a customer can carry out at a payment terminalare determined by the particular machine, the system in which it isconnected, and the programming of the machine by an entity responsiblefor its operation.

BRIEF DESCRIPTION OF THE DRAWINGS

It is believed that certain embodiments will be better understood fromthe following description taken in conjunction with the accompanyingdrawings in which:

FIG. 1 depicts a block diagram of an example payment terminalcommunication system.

FIG. 2 depicts a block diagram of another example payment terminalcommunication system.

FIG. 3A depicts a block diagram of another example payment terminalcommunication system.

FIG. 3B depicts a block diagram of another example payment terminalcommunication system.

FIG. 4 depicts an example process flow diagram for offline static dataauthentication.

FIG. 5 depicts an example process flow diagram for offline dynamic dataauthentication.

FIG. 6 depicts an example message sequence chart of a terminalcommunication system.

FIG. 7 depicts another example message sequence chart of a terminalcommunication system.

FIG. 8 depicts another example message .sequence chart of a terminalcommunication system.

FIG. 9 depicts example elements of an exemplary computing device.

DETAILED DESCRIPTION

Various non-limiting embodiments of the present disclosure will now bedescribed to provide an overall understanding of the principles of thestructure, function, and use of payment terminal management systems,methods and apparatus disclosed herein. One or more examples of thesenon-limiting embodiments are illustrated in the accompanying drawings.Those of ordinary skill in the art will understand that systems, methodsand apparatus specifically described herein and illustrated in theaccompanying drawings are non-limiting embodiments. The featuresillustrated or described in connection with one non-limiting embodimentmay be combined with the features of other non-limiting embodiments.Such modifications and variations are intended to be included within thescope of the present disclosure.

Reference throughout the specification to “various embodiments,” “someembodiments,” “one embodiment,” “some example embodiments,” “one exampleembodiment,” or “an embodiment” means that a particular feature,structure, or characteristic described in connection with any embodimentis included in at least one embodiment. Thus, appearances of the phrases“in various embodiments,” “in some embodiments,” “in one embodiment,”“some example embodiments,” “one example embodiment,” or “in anembodiment” in places throughout the specification are not necessarilyall referring to the same embodiment. Furthermore, the particularfeatures, structures or characteristics may be combined in any suitablemanner in one or more embodiments.

Throughout this disclosure, references to components or modulesgenerally refer to items that logically can be grouped together toperform a function or group of related functions. Like referencenumerals arc generally intended to refer to the same or similarcomponents. Components and modules can be implemented in software,hardware, or a combination of software and hardware. The term softwareis used expansively to include not only executable code, but also datastructures, data stores and computing instructions in any electronicformat, firmware, and embedded software. The terms information and dataare used expansively and can include a wide variety of electronicinformation, including but not limited to machine-executable ormachine-interpretable instructions; content such as text, video data,and audio data, among others; and various codes or flags. The termsinformation, data, and content are sometimes used interchangeably whenpermitted by context.

The examples discussed herein are examples only and are provided toassist in the explanation of the apparatuses, devices, systems andmethods described herein. None of the features or components shown inthe drawings or discussed below should be taken as mandatory for anyspecific implementation of any of these the apparatuses, devices,systems or methods unless specifically designated as mandatory. For easeof reading and clarity, certain components, modules, or methods may bedescribed solely in connection with a specific figure. Any failure tospecifically describe a combination or sub-combination of componentsshould not be understood as an indication that any combination orsub-combination is not possible. Also, for any methods described,regardless of whether the method is described in conjunction with a flowdiagram, it should be understood that unless otherwise specified orrequired by context, any explicit or implicit ordering of stepsperformed in the execution of a method does not imply that those stepsmust be performed in the order presented but instead may be performed ina different order or in parallel.

Payment terminals can operate in a variety of environments. Paymentterminals, such as automated teller machines (sometimes referred to asATMs), can be used to dispense cash, make deposits, transfer fundsbetween accounts, and so forth. Certain types of payment terminals canalso be used in a customer service environment. Some types of paymentterminals can be used to validate items which provide the customer withaccess, value or privileges such as tickets, vouchers, checks or otherfinancial instruments. Other examples of payment terminals can includemachines which are operative to provide users with the right tomerchandise or services in an attended or a self-service environment,such as self-service POS systems in grocery stores and pay-at-the-pumpfuel dispensers, for example. Some vending machines may incorporatepayment terminals to receiving funds in exchange for goods stored withinthe vending machine. Other examples of payment terminals include typesof POS/cash registers and retail POS systems. For purposes of thepresent disclosure, unless otherwise specifically indicated, the termpayment terminal is used to generally include any machine that can beoperated to carry out transactions including transfers of value.

Some payment terminals are considered “attended” payment terminals. Forthese types of payment terminals, an attendant is present at the pointof transaction and participates in the transaction by enteringtransaction-related data. The transaction occurs ‘face to face’. Somepayment terminals are considered “unattended” payment terminals. Forthese types of payment terminals, the cardholder conducts thetransaction at the point of transaction without the participation of anattendant. The transaction does not occur ‘face to face’. Some paymentterminals are considered “online only” payment terminals. For thesetypes of payment terminals, the transaction can normally only beapproved in real time by transmission of an authorization requestmessage. Some payment terminals are considered “offline with onlinecapability” payment terminals. For these types of payment terminals,depending upon transaction characteristics, the transaction can becompleted offline by the terminal or online in real time. It isequivalent to ‘online with offline capability’. Some payment terminalsare considered “offline only” payment terminals. For these types ofpayment terminals, the transaction can only be completed offline by theterminal. Some payment terminals are considered “operational control”payment terminals. For these types of payment terminals, an entity isresponsible for the operation of the terminal. This entity is notnecessarily the actual owner of the terminal.

Payment terminals can include various types of transaction functiondevices that are operated to carry out transactions. Different types ofpayment terminals include different types of devices. The differenttypes of devices enable the payment terminals to carry out differenttypes of transactions, including transactions involving goods, cashback,balance inquiry, funds transfer, and/or payment. Some types of paymentterminals can include a depository for accepting deposits while otherpayment terminals do not. Some payment terminals have a “touch screen”while others have separate displays and input buttons. Payment terminalscan also be fitted with devices such as cash and coin acceptors,statement printers, card readers, check validators, bill acceptors,thumb print readers and other types of devices, while other paymentterminals do not include such devices.

Payment terminals may be connected to a host computer of an acquiringinstitution (sometimes referred to as an “acquirer”) by communicationslinks. The communications links may be non-persistent, requiring thepayment terminals to reinitiate communications with the host computer ofthe acquiring institution. In certain embodiments, the communicationslinks may be persistent, requiring dedicated bandwidth. In someembodiments, a payment terminal can communicate with a host computerthrough an Asymmetric Digital Subscriber Line (ADSL) using an ADSLmodem. In other embodiments, a payment terminal can communicate with ahost computer over a wireless connection established with transceivers.In some embodiments, a payment terminal can communicate with a hostcomputer through a dial-up connection.

Some payment terminals include software that serves to carry out variousfunctionality. Example types of software can include encryption softwarethat utilizes keys, ciphers, or other temporal-based encryptionmanagement tools (referred to generally herein as “certificates”).Payment terminals capable of reading certain types of payment cards,such as cards that are Europay®, MasterCard® and Visa® (EMV) compliant,for example, utilize encryption systems that require periodic updates inorder to maintain functionality. The payment terminals can be incompliance with, for example, EMV Integrated Circuit Card Specificationsfor Payment Systems, Book 2, Security and Key Management, Version 4.3,November 2011, which is incorporated herein by reference. Paymentterminals are often part of a closed-network, thereby making itdifficult for the payment terminal to electronically contact, orotherwise communicate, with an entity that is not within theclosed-network. In some cases, a vendor, or other entity, that is notwithin the payment terminal closed-network can offer certificateupdates, software updates, and the like. Through use of a terminalmanagement computing system, as described in more detail below, apayment terminal can receive the updated certificates, and other typesof data, through communications with the terminal management computingsystem. Additionally, an entity, such as a merchant, can utilize aterminal management computing system to perform monitoring of one ormore terminals affiliated with the entity. Through such monitoring, anentity can check operational status, software status, security status,receiving reporting, and so forth.

The presently disclosed embodiments arc generally directed to systemsand methods for providing payment terminal monitoring, encryptionkey/certificate management, software patch management, and remoteterminal configuration and monitoring through a terminal managementcomputing system. Such systems and methods can include, for example, acentral terminal management computing system that is in communicationwith a plurality of payment terminals that are within a closed-networkenvironment. These payment terminals may not be able to communicate withentities outside of the closed-network in which they operate due tosecurity concerns, or other operational factors. In accordance with thepresent disclosure, the central terminal management computing system canalso be in communication with one or more entities through open-networkcommunications. Such entities include various global terminal managementservices of vendors or other certification authorities. The globalterminal management services can generate updated certificates, providesoftware updates, provide other configuration files, and the like.Generally, the terminal management computing system facilitatescommunications between a payment terminal on a closed-network with anentity on an open-network. Such communications can be used forcertificate management, software management, terminal configuration,terminal monitoring, and so forth. In some embodiments, a merchant caninterface with the terminal management computing system to receivestatus information regarding particular payment terminals. The statusinformation can include, for example, security compliance information,software version information, and so forth. For example, a particularmerchant may be in control of tens or even hundreds of payment terminals(such as ATM machines, for example), each requiring to comply withvarious security system requirements. Using the terminal managementcomputing, system of the present disclosure, the merchant can receivereporting regarding the security status of the payment terminals orotherwise monitor its payment terminals.

Referring now to FIG. 1, a block diagram of an example payment terminalcommunication system 150 is depicted. The payment terminal communicationsystem 150 includes a closed-network 140 and an open-network 130. Theclosed-network 140 can be, for example, a private payment networkallowing for secured communication between payment terminals 110A-C anda terminal management computing system 100. In some embodiments, theterminal management computing system 100 can be part of a computingsystem of an acquirer, or any other suitable entity. The paymentterminals 110A-C can be any type of payment terminal that can operate ona closed-network, such as a POS device, ATM, and so forth, as describedabove. The payment terminals 110A-C can, be configured to interface withEMV cards, such as an integrated circuit card (ICC). Example suitableinterfaces are provided by EMV Integrated Circuit Card Specificationsfor Payment Systems, Book 1, Application Independent ICC to TerminalInterface Requirements, Version 4.3, November 2011, which isincorporated herein by reference. The payment terminals 110A-C caninclude an encryption system 112A-C for encrypting communicationsemanating from the Payment terminals 110A-C. Any suitable type ofencryption technology or methodology can be used by the encryptionsystems 112A-C, which may vary from terminal to terminal. Some paymentterminals 110A-C can utilize, for example, offline static dataauthentication. Such payment terminals can use a digital signaturescheme based on public key techniques to confirm the legitimacy ofcritical ICC-resident static data. Some payment terminals 110A-C canutilize offline dynamic data authentication. Such payment terminals canuse a digital signature scheme based on public key techniques toauthenticate the ICC and confirm the legitimacy of criticalICC-resident/generated data and data received from the terminal. Othertypes of payment terminals 110A-C can utilize other authentication orencryption techniques. The encryption systems 112A-C can utilizecertificates 114A-C which expire, or otherwise become inoperable, overtime. In some embodiments; the certificates 114A-C are valid for a spanof one year, although this disclosure is not so limited. Prior to acertificate 114A-C expiring, the terminal 110A-C can receive an updatedcertificate such that the payment terminal can continue to properlyoperate.

The vendor terminal management service 120, which can be part of theopen-network 150, can generate the certificate updates, as well providesoftware updates, configurations, and the like. In some embodiments, thevendor terminal management service 120 generally functions as acertification authority. Since in this configuration the vendor terminalmanagement service 120 is not part of the closed-network 140, theterminals 110A-C cannot directly communicate with the vendor terminalmanagement service 120. Therefore, the terminals 110A-C cannot retrieveor receive updated certificates, or any other types of communicationsfrom the vendor terminal management service 120, which: would requirethe terminals 110A-C communicating directing in or through theopen-network 150. In accordance with the systems, methods and apparatusdescribed herein, the terminal management computing system 100 cangenerally facilitate such transfer of data between the terminals 110A-Cand the vendor terminal management service 120. The terminal managementcomputing system 100 can communicate on the open-network 130 with thevendor terminal management service 120 to receive various data and, inturn, pass it along to the terminals 110A-C on the closed-network 140.While the particular type of open-network 130 used can vary based on thevendor terminal management service 120, among other factors, in someembodiments, the open-network 130 can be a public communications network(i.e., the Internet), a virtual private network (VPN), an intranet, .oranother type of third party network, for example.

With specific regard to updating the certificates 114A-C, the terminalmanagement computing system 100 can operate, for example, to “push”updated certificates to particular terminals 110A-C at certain intervalsor based on certain circumstances. In other embodiments, the terminals110A-C can “pull” the updated certificates at certain intervals or basedon certain circumstances. Example message sequence charts for push andpull scenarios are illustrated in FIGS. 6-8 and are described in moredetail below. In addition to certificate updates, the terminalmanagement computing system 100 can be used to facilitate softwareupdates, and/or terminal configuration, among other terminal managementoperations, such as confirming successful certificate updating.

Referring now to FIG. 2, a block diagram of another example paymentterminal communication system is depicted. The payment terminalcommunication system is shown comprising a vendor terminal managementservice 220, a terminal management computing system 200, and paymentterminals 210A-N. Merchants using merchant computing devices 240A-N canbe in communication with the terminal management computing system 200.Through this communication, a particular merchant using the merchantcomputing devices 240A-N can obtain information regarding any of itsaffiliated payment terminals 210A-N. In the illustrated embodiment,merchant A is affiliated with terminal A and terminal. B, merchant B isaffiliated with terminals. A-M, and merchant Nis affiliated withterminal A. As is to be appreciated, any suitable number of merchants(or other management entities) may interact with the terminal managementcomputing system 200.

The terminal management computing system 200 can be provided using anysuitable processor-based device or system, such as a personal computer,laptop, server, mainframe, or a collection (e.g., network) of multiplecomputers, for example. The content management system 200 can includeone or more processors 230 and one or more computer memory units 232.For convenience, only one processor 230 and only one memory unit 232 arcshown in FIG. 2. The processor 230 can execute software instructionsstored on the memory unit 232. The processor 230 can be implemented asan integrated circuit (IC) having one or multiple cores. The memory unit232 can include volatile and/or non-volatile memory units. Volatilememory units can include random access memory (RAM), for example.Non-volatile memory units can include read only memory (ROM), forexample, as well as mechanical non-volatile memory systems, such as, forexample, a hard disk drive, an optical disk drive, etc. The RAM and/orROM memory units can be implemented as discrete memory ICs, for example.

The memory unit 232 can store executable software and data for aterminal management engine 234. When the processor 230 of the terminalmanagement computing system 200 executes the software of the terminalmanagement engine 234, the processor 230 can be caused to perform thevarious operations of the terminal management computing system 200, suchas monitoring, encryption key/certificates, software patch management,and remote terminal configuration and monitoring.

As shown in FIG. 2, the terminal management computing system 200 caninclude several computer servers and databases. For example, theterminal management computing system 200 can include one or more webservers (shown as web server 238), application servers (shown asapplication server 240), terminal servers (shown as terminal server242), and/or any other type of servers. For convenience, only one webserver 238, one application server 240, and one terminal service 242 areshown in FIG. 2, although it should be recognized that the disclosure isnot so limited. The servers can cause content to be sent to the merchantcomputing device 240A-N in any number of formats, such as text-basedmessages, multimedia message, email messages, smart phone notifications,web pages, and so forth. The servers can also be used to send or receivedata from the terminals 210A-N and/or the vendor terminal managementservice 220. The services can also cause content to be sent to orreceived from the vendor terminal management service 220. The servers238, 240, 242 can comprise processors (e.g., CPUs), memory units (e.g.,RAM, ROM), non-volatile storage systems (e.g., hard disk drive systems),etc.

The web server 238 can provide a graphical web user interface throughwhich various users of the system can interact with the terminalmanagement computing system 200. The web server 238 can accept requests,such as HTTP requests, from clients (such as web browsers on themerchant computing devices 240A-N), and serve the clients responses,such as. HTTP responses, along with optional data content, such as webpages (e.g., HTML documents) and linked objects (such as images, video,and so forth). The application server 238 can provide a user interfacefor users who do not. communicate with the terminal management computingsystem 200 using a web browser. Such users can have special softwareinstalled on a mobile communications device, for example, that allowsthem to communicate with the application server 238 via the network. Theterminal server 242 can facilitate communication with the terminals210A-N to provide updated certificates, check status, provide softwareupdates or patches, and so forth.

The terminal management computing system 200 can comprise with one ormore data stores (shown as data store 236), which can be any suitabletype of database or data store. The data store 236 can store, forexample, encryption-related information, such as keys, certificates,expiration dates, download dates, install dates and so forth. In someembodiments, the data store 236 can generally be configured to storeencryption keys received by terminal management computing system 200from the vendor terminal management service 220.

The terminal management computing system 200 can generally provide formanagement of the payment terminals 210A-N, including softwaremanagement and encryption management. In some embodiments, an entitymanaging one of the secure payment terminals 210A-N, such as one of themerchants A-N can utilize the terminal management computing system 200to schedule and push on-demand configuration, patches, and keys to theparticular payment terminals that it manages. The terminal managementcomputing system 200 can interface with the various payment terminals210A-N through various network communications, schematically illustratedas network communications 270. Through network communications 270, theterminal management computing system 200 can perform various terminalmanagement functions, such as the monitoring of software versions,monitoring key expiration, among other types of monitoring. Throughnetwork communications 270, the terminal management computing system 200can also securely deliver data to secure payment terminals 210, such asupdated certificates, software updates, software patches, configurationsfiles, and so forth.

The terminal management computing system 200 can interface with thevendor terminal management service 220 through various networkcommunications, which are schematically illustrated as communications260. Through these network communications 260, the terminal managementcomputing system 200 can retrieve software patches, updates, and keys,among other types of data from the global terminal management service220. The vendor terminal management service 220 can comprise variousmodules, such as a key update module and a software update module 224.While only one vendor terminal management service 220 is illustrated inFIG. 2, it is to be appreciated that the terminal management computingsystem 200 can communicate with a plurality of different vendor terminalmanagement service 220. For example, the particular secure paymentterminals 210 in communication with the terminal management computingsystem 200 can have different types of software, that each requireperiodic updating from different types of vendors. The terminal,management computing system 200 can track these requirements and contactthe. appropriate vendor terminal. Management service (e.g., 220) for theparticular payment terminal 210A-N that is in need of an update.

In some embodiments, the terminal management computing system 200proactively contacts the vendor terminal management service modules(e.g., 222) prior to the expiration of a certificate on one of thesecure payment terminals 210A-N. Upon receiving the update certificatefrom the vendor terminal management service 220, it can be stored in theencryption key storage provided by data store 236. At a later point intime, the updated key can be provided to one or more of the securepayment terminals 210A-N through network communications 270. In someembodiments, the terminal management computing system 200 is configuredto wait until a secure payment terminal 210A-N submits an updaterequest. In other embodiments, the updated key is pushed to the securepayment terminals 210 at a certain time of day, such as during periodsof light transaction payment activity. Optionally, a merchant A-N caninteract with the terminal management computing system 200 to schedule,or otherwise, direct the updating or configuring of the paymentterminals 210A-N. By way of example, one of the merchants A-N can bealerted that a particular certificate or software upgrade needs, to beprovided to a particular payment terminal A-N. The merchant can thenselectively determine when that certificate or software upgrade is to bedelivered to the payment terminals A-N. The merchant can provide to theterminal management computing system 200, for example, a selected timeand date, a time range on a date, a time across a plurality of dates, atime range across a plurality of dates, and so forth. Using thisapproach, the merchant may be able to select a generally convenient timefor the terminal management computing system 200 to interact with one ofthe payment terminals 210A-N. Additionally, subsequent to theinteraction with the payment terminal, the terminal management computingsystem 200 can provide reporting to the merchant to show a particularsoftware upgrade was successfully installed, a particular certificatewas successfully received, or any other configuration activity wassuccessfully completed. Thus, through the terminal management computingsystem 200, a merchant A-N may receive generally real-time informationregarding the security and software, status of any affiliated paymentterminal 210A-N. Such reporting can be used, for example, for themerchant A-N to monitor compliance with various EMV-relatedspecifications.

FIG. 3A depicts a block diagram of another example payment terminalcommunication system. In this embodiment, a certification authority 370is in communication with an acquirer 350 and a card issuer 360. Thecertification authority 370 can be similar to the vendor terminalmanagement service 220 described in FIG. 2, or can be any trusted thirdparty that is a secure cryptographic facility that ‘signs’ keys. In someembodiments, the certification authority 370 can provide an issuerpublic key certificate to the card issuer 360 via communications links392. The card issuer 360 can provide this certificate to an ICC. Thepublic key can also be provided to the acquirer 350 via communicationslinks 390. In this embodiment, acquirer 350 comprises a terminalmanagement computing system 300, which may be similar to the terminalmanagement computing systems 100, 200 of FIGS. 1 and 2, respectively.The acquirer 360 can be in communication with a plurality of paymentterminals of various types. In the illustrated embodiment, the acquirer360 is in communication with terminal 310A and terminal 310B viarespective communications links 384A, 384B. Accordingly, the acquirer360 can be used to process various types of transactions initiated bythe transaction systems 316A, 316B of the terminals 310A, 310B. Asprovided above, the particular types of transactions may vary dependingon the type of terminals, but example transactions include payment,providing funds, purchasing goods, balance inquiries, and balancetransfers. In order to process such transactions, the acquirer 350 cancommunicate with various entities (not shown) within a payment networkto send authorization requests, receive authorization replies, and soforth. The terminal management computing system 300 can utilize theencryption systems 312A, 312B of the terminals 310A, 310B whentransferring data via communication links 386A, 386B. In someembodiments, communication link 384A is also communication link 386A andcommunication link 384B is also communication link 386B. Generally, theterminal management computing system 300 can communicate with theterminals 310A, 310B to perform terminal monitoring, remote terminalconfiguration, certification management, and so forth. Additionally, insome embodiments, a merchant 340 can interface with the terminalmanagement computing system 300 via a communication link 388. Throughthis interface, the merchant 340 can monitor various terminals, runreports, and/or control the certification or software updating process.In some embodiments, the interface is presented through a web portal, aspecialized application, or any other suitable type of interface.

FIG. 3B depicts a block diagram of another example payment terminalcommunication system. The illustrated communication system is similar toFIG. 3A, with the exception that the terminal management computingsystem 300 and the acquirer 250 are separate entities. Accordingly, thecertification authority 370 provide, keys to the acquirer 350 via acommunication link 390 and the acquirer then passes it along to theterminal management computing system 300 via communication link 320.

Payment terminals implementing EMV technology can utilize any number ofauthentication techniques for process ICC cards, including static dataauthentication (SDA) and dynamic data authentication (DDA). In eithercase, a terminal management computing system can be used to receiveencryption-related data from a certification authority and pass it alongto the appropriate payment terminal. Additional details regardingexample authentication techniques are described in EMV IntegratedCircuit Card Specifications for Payment Systems, Book 2, Security andKey Management, Version 4.3, November 2011.

FIG. 4 depicts an example process flow diagram for offline static dataauthentication. The process includes a card issuer 460, a certificationauthority 470 and an acquirer 450. While a terminal management computingsystem 400 is shown as a component of the acquirer 450, in otherembodiments, they may be separate entities (as shown in FIG. 3B, forexample). Offline static data authentication is performed by theterminal 410 using a digital signature scheme based on public keytechniques to confirm the legitimacy of critical ICC-resident staticdata. This can detect authorization alteration of data afterpersonalization. Static Data Authentication (SDA) is a form of offlinestate data authentication that verifies the data identified by theApplication File Locator (AFL) and by the optional Static DataAuthentication Tag List. SDA can require the existence of thecertification authority 470, which can be a highly secure cryptographicfacility that ‘signs’ the issuer's public keys.

The terminal 410 can contain the appropriate certification authority'spublic key(s) 416 for every application recognized by the terminal 410.In some cases, multiple applications can share the same ‘set’ ofcertification authority public keys 416.

In one embodiment, to support SDA, the terminal 410 can store sixcertification authority public keys 416 per Registered ApplicationProvider Identifier (RID) and associate with each such key thekey-related information to be used with the key. The public key 416 canbe provided to the acquirer 400, which then uses the terminal managementcomputing system 400 to provide it to terminal 410.

To support SDA, an ICC 406 can contain the Signed Static ApplicationData 404 (SSAD), which is static application data 402 signed with theIssuer Private Key 408. The Issuer Public Key 424 can be stored on theICC 406 with a public key certificate 412.

The terminal 410 may also support a Certification. Revocation List (CRL)that lists the Issuer Public Key Certificates that have been revoked.If, during SDA, a concatenation of the RID and Certification AuthorityPublic Key Index from the ICC 406 and the Certificate Serial Numberrecovered from the Issuer Public Key Certificate is on this list, SDAfails. In some embodiments, the CRL is provided to the acquirer 450. TheCRL may then be provided to the terminal 410 by the terminal managementcomputing system 400.

During a transaction at the terminal 410 using an ICC 406, the ICC 406provides the issuer private key certificate 412 and the SSAD 404 to theterminal 410. The terminal 410 uses the public key 416 to verify thatthe issuer's public key 424 was signed by the certification authority410 with private key 414. The terminal uses the issuer public key 424 toverify that the ICC's 406 SSAD 404 was signed by the issuer 460.

FIG. 5 depicts an example process flow diagram for offline dynamic dataauthentication. The process includes a card issuer 560, a certificationauthority 570 and an acquirer 550. While a terminal management computingsystem 500 is shown as a component of the acquirer 550, in otherembodiments, they may be separate entities (as shown in FIG. 3B, forexample). Offline dynamic data authentication can be performed by theterminal 510 using a digital signature scheme based on public keytechniques to authenticate the ICC 506 and confirm the legitimacy ofcritical ICC-resident/generated data and data received from the terminal510.

Two forms of offline dynamic data authentication exist. A first form isDynamic Data Authentication (DDA), which can be executed before cardaction analysis. Using DDA, the ICC 506 generates a digital signature.on ICC-resident/generated data identified by the ICC Dynamic Data anddata received from the terminal 510 identified by the Dynamic DataAuthentication Data Object List (DDOL). The ICC generates a digitalsignature on ICC-resident/generated data identified by the ICC DynamicData, which contains a transaction certification (TC) or anAuthorization Request Cryptogram (ARQC), and an unpredictable numbergenerated by the terminal.

Various types of offline dynamic data authentication can require theexistence of, a highly secure cryptographic facility that ‘signs’ theIssuer's Public Keys 524, such as the certification authority 570. Theterminal 510 can contain the appropriate certification authority'spublic key(s) 516 for every application recognized by the terminal 510.In some cases, multiple applications can share the same ‘set’ ofcertification authority public keys 516. To support offline dynamic dataauthentication, each terminal may store a plurality of certificationauthority public keys 516 per RID and associate with each such key thekey-related information to be used with the key. These public keys 516can be transmitted by the certification authority 570 to the acquirer550, which utilizes the terminal management computing system 500 toprovide the keys to the terminals 510.

In accordance with offline dynamic data authentication, an ICC 506 canown its own unique public key pair consisting of a private signature key502 and the corresponding public verification key 520. The ICC PublicKey 520 can be stored on the ICC 506 in a public key certificate 522. Insome cases, a three-layer public key certification scheme is used. EachICC Public Key 520 is certified by its issuer 560, and the certificationauthority 570 certifies the Issuer Public Key 524. This implies that,for the verification of an ICC signature, the terminal 510 first needsto verify two certificates in order to retrieve and authenticate the ICCPublic Key 520, which is then employed to verify the ICC's dynamicsignature.

To execute offline dynamic data authentication, the terminal 510 canfirst retrieve and authenticate the ICC Public Key 520 (this process maybe called ICC Public Key authentication). All the information necessaryfor ICC Public Key authentication can be stored in the ICC 506.

Similar to the terminal 410 in FIG. 4, the terminal 510 may support aCertification Revocation List (CRL) that lists the Issuer Public KeyCertificates 512 that have been revoked. The CRL may be provided to theterminal 510 by the terminal management computing system 500. If, duringdynamic data authentication (DDA or CDA), a concatenation of the RID andCertification Authority Public Key Index from the card and theCertificate Serial Number recovered from the Issuer Public KeyCertificate is on this list, dynamic data authentication fails.

During a transaction at the terminal 510 using an ICC 506, the ICC 506provides the issuer private key certificate 512, which is the issuerpublic key 524 signed by the certification authority 570 with privatekey 514. The ICC 506 also provides the ICC PK certificate 522, which isthe ICC public key 520 and static application data, 504 signed by theissuer private key 508. The terminal 41,0 uses the public key 516 toverify that the issuer's public key 524 was signed by the certificationauthority 410. The terminal uses the issuer public key 424 to verifythat the ICC public key 520 and the static application data 504 weresigned by the issuer 560.

FIG. 6 depicts a message sequence chart for an example certificate“pull” scenario for a payment terminal communication system comprising aterminal 610, a terminal management computing system 600, and a vendorglobal terminal management service 620. When the software executing onterminal 610 is in need of an updated certificate, a request 650 is sentto the terminal management computing system 600. The request 650 can besent through a closed-network 640. In some embodiments, the address,such as an IP address or MAC address, of the terminal managementcomputing system 650 is coded into the software of the terminal 610,such that when the terminal needs an updated certificate, itautomatically sends an appropriate request to the terminal managementcomputing system 600. Upon receiving the request, the terminalmanagement computing system 600 can process the request and determinethe appropriate vendor global terminal management service to contact,such as a MASTERCARD® server, a FISERV® server, or other appropriateentity based on the request from the terminal 610. Using message 652,the terminal management computing system 600 contacts the vendor globalterminal management service 620 to request the information needed by theterminal 610, such as an updated certificate, a software update, asoftware patch, and so forth. The vendor global terminal managementservice 620 responds with a message 654 that includes the requesteddata. As illustrated, the message 652 and the message 654 can be sentthrough an open-network 630, which is different from the closed-network640. Upon receiving the data from the vendor global terminal managementservice 620, the terminal management computing system 600 sends amessage 656 to the terminal 610 that includes the requested updatedcertificate.

FIG. 7 depicts a message sequence chart for an example certificate“push” scenario for a payment terminal communication system comprising aterminal 710, a terminal management computing system 700, and a vendorglobal terminal management service 720. In this embodiment, the terminalmanagement computing system 700 obtains updated certificates, updatedsoftware, and the like from the vendor global terminal managementservice 720 without receiving a request from the terminal 710. In someembodiments, the terminal management computing system 700 tracksanticipated expirations of certificates or keys on the terminal 710 andgathers updated certificate or keys prior to the expiration from theappropriate sources. In some embodiments, the vendor global terminalmanagement service 720 sends a message to the terminal managementcomputing system 700 indicating a software update is available. In anyevent, using message 752, the terminal management computing system 700contacts the vendor global terminal management service 720 to requestthe information on behalf of the terminal 710, such as an updatedcertificate, a software update, a software patch, and so forth. Thevendor global terminal management service 720 responds with a message754 That includes the requested data. As illustrated, the message 752and the message 754 can be sent through an open-network 730. In someembodiments, the message 752 is omitted. Upon receiving the data fromthe vendor global terminal management service 720, the terminalmanagement computing system 700 sends a message 756 to the terminal 710through a closed-network 770 that includes the requested updatedcertificate, or other data received from the vendor global terminalmanagement service 720. The message 756 can be transmitted to theterminal 710 by the terminal management computing system 700 at anysuitable time. For example, in some embodiments, the message 756 is sentduring a period of time in which the terminal 710 typical experienceslittle payment activity, such as from 1 AM to 3 AM. In some embodiments,the terminal management computing system 700 can send a message to theterminal 710 indicating that an updated certificate, or other type ofdata, is available for download and waits to receive a request from theterminal 710.

FIG. 8 depicts a message sequence chart for an example certificate pushscenario for a payment terminal communication system comprising amerchant 840, a certification authority 870, an acquirer 850, a terminalmanagement computing system 800, and a terminal 810. The certificationauthority 870 distributes a message 820 including a certificationauthority public key to the acquirer 850. In a message 822, the acquirer850 provides the public key to the terminal management computing system800. The terminal management computing system 800 then provides thepublic key to the terminal 810 in a message 824, either upon receivingthe key from the acquirer 850 or based upon merchant-defined rules orother key distribution rules. The merchant 840 can send a message 826 tothe terminal management computing system 800 requesting a status updateon terminal 810. Upon receiving the message 826, the terminal managementcomputing system 800 can poll terminal 810 using message 828 to retrievethe information requested by the merchant 840. As is to be appreciated,a variety of informational requests can be made by the merchant 840,including a determination if any keys are expired, when certain keyswere downloaded by the terminal, a software version query, aconfirmation that a key was successfully received by the terminal 810,and so forth. The terminal 810 responds to the status request withmessage 830. The terminal management computing system 800 then providesa message 832 to the merchant with the requested information. Throughinteractions between the merchant 840 and the terminal managementcomputing system, the merchant 840 can also schedule, customize, orotherwise control the distribution of various keys and software updatesor patches. For example, the merchant 840 may identify certain timewindows the terminal management computing system 800 can use tocommunicate with the terminal 810. Such time windows can coincide, forexample, with time windows typically having a low number oftransactions.

Referring now to FIG. 9, example elements of an exemplary computingdevice 900 are illustrated. The computing device 900 can be desktopcomputer, a server, a mobile computing device such as a smartphone, orany other suitable computing device as would be understood in the art.The computing device 900 can include a processor 902 that can be anysuitable type of processing unit, for example a general purpose centralprocessing unit (CPU), a reduced instruction set computer (RISC), aprocessor that has a pipeline or multiple processing capabilityincluding having multiple cores, a complex instruction set computer(CISC), a digital signal processor (DSP), an application specificintegrated circuits (ASIC), a programmable logic devices (PLD), and afield programmable gate array (FPGA), among others. The computingresources can also include distributed computing devices, cloudcomputing resources, and virtual computing resources in general.

The computing device 900 is also shown to include one or more memories(e.g., memory 906), for example read only memory (ROM), random accessmemory (RAM), cache memory associated with the processor 902, or othermemories such as dynamic RANI (DRAM), static ram (SRAM), flash memory, aremovable memory card or disk, a solid state drive, and so forth. Thecomputing device 900 can additionally or alternatively also includesstorage media such as a storage device that can be configured to havemultiple modules, such as magnetic disk drives, floppy drives, tapedrives, hard drives, optical drives and media, magneto-optical drivesand media, compact disk drives, Compact Disk Read Only Memory (CD-ROM),Compact. Disk Recordable (CD-R), Compact Disk Rewriteable (CD-RW), asuitable type of Digital Versatile Disk (DVD) or BluRay disk, and soforth. Storage media such as flash drives, solid state hard drives,redundant array of individual disks (RAID), virtual drives, networkeddrives and other memory means including storage media on the processor902, or memory 906 are also contemplated as storage devices.

Network and communication interfaces 908 can allow the computing device900 to communicate with other devices across a network 912. The networkand communication interfaces 908 can be an Ethernet interface, a radiointerface, a telephony interface, a Universal Serial Bus (USB)interface, or any other suitable communications interface. Examplecommunication interfaces 980 can includes wired data transmission linkssuch as Ethernet and TCP/IP, as well as PSTN communications links suchas TIs(or better), integrated services digital network (ISDN), DigitalSubscriber Line (DSL), or dialup moderns that implement, for example,the point-to-point protocol (PPP). The communication interface 980 caninclude wireless protocols for interfacing with the network 912 whichcan private or public networks 912, such as closed-loop and open-loopnetworks. For example, the network and communication interfaces 908 andprotocols can include interfaces for communicating with private wirelessnetworks such as a WiFi network, one of the IEEE 802.11x family ofnetworks, or another suitable wireless network. The network andcommunication interfaces 908 can include interfaces and protocols forcommunicating with public wireless networks, using for example wirelessprotocols used by cellular network providers, including Code DivisionMultiple Access (CDMA) and. Global System for Mobile Communications(GSM). A computing device 900 can use network and communicationinterfaces 908 to communicate with hardware modules such as a databaseor data store, or one or more servers or other networked computingresources. Data can be encrypted or protected from unauthorized access.

In various configurations, the computing device 900 can include a systembus 910 for interconnecting the various components of the computingdevice 900, or the computing device 900 can be integrated into one ormore chips such as programmable logic device or application specificintegrated circuit (ASIC). The system bus 910 can include a memorycontroller, a local bus, or a peripheral bus for supporting input and,output devices 904, or communication interfaces 908. Example input andoutput devices 904 include keyboards, keypads, gesture or graphicalinput devices, motion input devices, touchscreen interfaces, displays,audio units, voice recognition units, vibratory devices, computer mice,and any other suitable user interface.

The processor 902 and memory 906 can include nonvolatile memory forstoring computer-readable instructions, data, data structures, programmodules, code, microcode, and other software components for storing thecomputer-readable instructions in non-transitory computer-readablemediums in connection with the other hardware components for carryingout the methodologies described herein. Software components can includesource code, compiled code, interpreted code, executable code, staticcode, dynamic code, encrypted code, or any other suitable type of codeor computer instructions implemented using any suitable high-level,low-level, object-oriented, visual, compiled, or interpreted programminglanguage. Various computing devices described herein, such as paymentterminals, acquirers, vendor terminal management services, issuers, andterminal management computing systems, can incorporate computing devicessimilar to the computing device 900 illustrated in FIG. 9.

In general, it will be apparent to one of ordinary skill in the art thatat least some of the embodiments described herein can be implemented inmany different embodiments of software, firmware, and/or hardware. Thesoftware and firmware code can be executed by a processor or any othersimilar computing device. The software code or specialized controlhardware that can be used to implement embodiments is not limiting. Forexample, embodiments described herein can be implemented in computersoftware using any suitable computer software language type, using, forexample, conventional or object-oriented techniques. Such software canbe stored on any type of suitable computer-readable medium or media,such as, for example, a magnetic or optical storage medium. Theoperation and behavior of the embodiments can be described withoutspecific reference to specific software code or specialized hardwarecomponents. The absence of such specific references is feasible, becauseit is clearly understood that artisans of ordinary skill would be ableto design software and control hardware to implement the embodimentsbased on the present description with no more than reasonable effort andwithout undue experimentation.

Moreover, the processes described herein can be executed by programmableequipment, such as computers or computer systems and/or processors.Software that can cause programmable equipment to execute processes canbe stored in any storage device, such as, for example, a computer system(nonvolatile) memory, an optical disk, magnetic tape, or magnetic disk.Furthermore, at least some of the processes can be programmed when thecomputer system is manufactured or stored on various types ofcomputer-readable media.

It can also be appreciated that certain portions of the processesdescribed herein can be performed using instructions stored on acomputer-readable medium or media that direct a computer system toperform the process steps. A computer-readable medium can include, forexample, memory devices such as diskettes, compact discs (CDs), digitalversatile discs (DVDs), optical disk drives, or hard disk drives. Acomputer-readable medium can also include memory storage that isphysical, virtual, permanent, temporary, semipermanent, and/orsemitemporary.

A “computer,” “computer system,” “host,” “server,” or “processor” canbe, for example and without limitation, a processor, microcomputer,minicomputer, server, mainframe, laptop, personal data assistant (PDA),wireless e-mail device, cellular phone, pager, processor, fax machine,scanner, or any other programmable device configured to transmit and/orreceive data over a network. Computer systems and computer-based devicesdisclosed herein can include memory for storing certain software modulesused in obtaining, processing, and communicating information. It can beappreciated that such memory can be internal or external with respect tooperation of the disclosed embodiments. The memory can also include anymeans for storing software, including a hard disk, an optical disk,floppy disk, ROM (read only memory), RAM (random access memory), PROM(programmable ROM), EEPROM (electrically erasable PROM) and/or othercomputer-readable media. Non-transitory computer-readable media, as usedherein, comprises all computer-readable media except for a transitory,propagating signals.

In various embodiments disclosed herein, a single component can bereplaced by multiple components and multiple components can be replacedby a single component to perform a given function or functions. Exceptwhere such substitution would not be operative, such substitution iswithin the intended scope of the embodiments. Any servers describedherein, for example, can be replaced by a “server farm” or othergrouping of networked servers (such as server blades) that are locatedand configured for cooperative functions. It can be appreciated that aserver farm can serve to distribute workload between/among individualcomponents of the farm and can expedite computing processes byharnessing the collective and cooperative power of multiple servers.Such server farms can employ load-balancing software that accomplishestasks such as, for example, tracking demand for processing power fromdifferent machines, prioritizing and scheduling tasks based on networkdemand and/or providing backup contingency in the event of componentfailure or reduction in operability.

The computer systems can comprise one or more processors incommunication with memory (e.g., RAM or ROM) via one or more data buses.The data buses can carry electrical signals between the processor(s) andthe memory. The processor and the memory can comprise electricalcircuits that conduct electrical current. Charge states of variouscomponents of the circuits, such as solid state transistors of theprocessor(s) and/or memory circuit(s), can change during operation ofthe circuits.

Some of the figures can include, a flow diagram. Although such figurescan include a particular logic flow, it can be appreciated that thelogic flow merely provides an exemplary implementation of the generalfunctionality. Further, the logic flow does not necessarily have to beexecuted in the order presented unless otherwise indicated. In addition,the logic flow can be implemented by a hardware element, a softwareelement executed by a computer, a firmware element embedded in hardware,or any combination thereof.

The foregoing description of embodiments and examples has been presentedfor purposes of illustration and description. It is, not intended to beexhaustive or limiting, to the forms described. Numerous modificationsare possible in light of the above teachings. Some of thosemodifications have been discussed, and others will be understood bythose skilled in the art. The embodiments were chosen and described inorder to best illustrate principles of various embodiments as arc suitedto particular uses contemplated. The scope is, of course, not limited tothe examples set forth herein, but can be employed in any number ofapplications and equivalent devices by those of ordinary skill in theart. Rather it is hereby intended the scope of the invention to bedefined by the claims appended hereto.

1-30. (canceled)
 31. A system, comprising: a terminal managementhardware server comprising a processor, wherein the terminal managementhardware server is in network communication with a plurality of remotepayment terminals via a first network, wherein each of the plurality ofpayment terminals comprises an encryption system, and wherein theterminal management hardware server is configured to: synchronouslypoll, using the processor, each of the plurality of payment terminals toindividually request, from each of the plurality of payment terminals,an expiration date of the respective encryption system; and transmit tothe respective payment terminal of the plurality of payment terminals,using the processor, a respective update to the respective encryptionsystem.
 32. The system of claim 31, wherein the update comprises anupdate to an expiring encryption key.
 33. The system of claim 31,wherein the terminal management hardware server is further in networkcommunication with at least one terminal management entity via a secondnetwork, wherein the first network is not the second network, andwherein the terminal management hardware server is further configured totransmit, using the processor, to the at least one terminal managemententity prior to the respective expiration date of the respectiveencryption system, a request for an update to the respective encryptionsystem based on the expiration date of the respective encryption system,and wherein the update to the encryption system is received from theterminal management entity via a second network.
 34. The system of claim31, wherein the terminal management hardware server is furtherconfigured to: generate, using the processor, a polling report based onthe polling comprising a status update of each of the plurality ofpayment terminal and a status update of the encryption system of each ofthe plurality of payment terminals.
 35. The system of claim 34, whereinthe status update of each of the plurality of payment terminalscomprises a expiry date of a security element.
 36. The system of claim31, wherein transmitting to the respective payment terminal of theplurality of payment terminals the respective update to the respectiveencryption system is based on receiving a request from the respectivepayment terminal of the plurality of payment terminals via the firstnetwork.
 37. The system of claim 33, wherein the terminal managementhardware server is in communication with a plurality of terminalmanagement entities.
 38. The system of claim 31, wherein at least one ofthe remote payment terminals is an automated teller machine.
 39. Anon-transitory computer readable medium having instructions storedthereon which when executed by a processor cause the processor to:communicate with a plurality of remote payment terminals via a closednetwork, wherein each of the plurality of payment terminals comprisesupdatable software; synchronously poll each of the plurality of paymentterminals to individually request, from each of the plurality of paymentterminals, an expiration date of the respective encryption system; andtransmit to the respective payment terminal of the plurality of paymentterminals a respective update to the respective encryption system, thesoftware update transmitted via network communications on the closednetwork.
 40. The non-transitory computer readable medium of claim 39,wherein the updatable software comprises a security element, and whereinthe software update comprises an update to an encryption key.
 41. Thenon-transitory computer readable medium of claim 39, wherein theinstructions further cause the processor to communicate with at leastone terminal management entity via an open network, wherein the closednetwork is not the open network, and wherein the software update isreceived from the at least one terminal management entity via the opennetwork.
 42. The non-transitory computer readable medium of claim 39,wherein the instructions further cause the processor to: generate areport based on the polling comprising a status update of each of theplurality of payment terminals and a status update of the updatablesoftware of each of the plurality of payment terminals.
 43. Thenon-transitory computer readable medium of claim 42 wherein the statusupdate of each of the plurality of payment terminals comprises a stateof a security element.
 44. The non-transitory computer readable mediumof claim 39, wherein transmitting to the respective payment terminal ofthe plurality of payment terminals the respective update to therespective encryption system is based on receiving a request from therespective payment terminal of the plurality of payment terminals viathe closed network.
 45. The non-transitory computer readable medium ofclaim 41, wherein the instructions further cause the processor to:communicate with a plurality of terminal management entities via theopen network.
 46. The non-transitory computer readable medium of claim39, wherein at least one of the remote payment terminals is an automatedteller machine.
 47. A system, comprising: a terminal management hardwareserver comprising a processor, wherein the terminal management hardwareserver is in network communication with: an automated teller machine viaa closed network, wherein the automated teller machine comprisesencryption software; and wherein the terminal management hardware serveris configured to: synchronously poll, using the processor, the automatedteller machine to individually request, from the automated tellermachine, an expiration date of the encryption software; and transmit tothe automated teller machine, using the processor, a security update tothe encryption software of the automated teller machine, the securityupdate transmitted via network communications on the closed network. 48.The system of claim 47, wherein the automated teller machine isconfigured to read chip-based payment cards using a card reader, andwherein the encryption software is associated with the card reader. 49.The system of claim 47, wherein transmitting the security update to theautomated teller machine is responsive to a request received from theautomated teller machine.
 50. The system of claim 47, wherein theterminal management hardware server is further in network communicationwith a terminal management entity via an open network, wherein theclosed network is not in network communication with the open network,wherein the terminal management entity provides security updatesassociated with the encryption software, and wherein the terminalmanagement hardware server is configured to transmit, using theprocessor, to the terminal management entity prior to the expirationdate of the encryption software, a request for an update to encryptionsoftware based on the expiration date of the encryption software, andwherein the security update is received from the terminal managemententity via network communications on the open network.